Mark Misulich wrote: > Hi, > I used rkhunter a couple of days ago by running in terminal as root > "rkhunter -c --sk" and came up with multiple file warnings, including > that there was a key logger installed. I had no indications of a
Where is the key logger warning? I looked at your report, and didn't see one. [...] > linux-bd31:/home/lxmark # rkhunter -c --sk > [ Rootkit Hunter version 1.3.2 ] Output trimmed except for warnings... > Checking system commands... > [...] > Performing file properties checks > /usr/bin/groups [ Warning ] > /usr/bin/ldd [ Warning ] > /sbin/chkconfig [ Warning ] > /sbin/ifup [ Warning ] > Performing system configuration file checks > Checking if SSH root access is allowed [ Warning ] This is not necessarily a problem. It's common, especially in servers, to allow root to log in remotely for purposes of maintenance. > Performing filesystem checks > Checking /dev for suspicious file types [ Warning ] > System checks summary > ===================== > > File properties checks... > Files checked: 135 > Suspect files: 4 This may be because they are scripts. See above. You need to examine your output log to ascertain exactly what the warning is about. Also, if you use a package manager like RPM, and tell rkhunter about it, then it may make some or all of these warnings go away. > All results have been written to the logfile (/var/log/rkhunter.log) Look in this file, and see what exactly the warnings mean. > I am requesting your opinion as to whether this was a spurious > warning regarding a keylogger. If someone can tell me how to access > the previous log which showed all the warnings including the > keylogger warning, I will post that if it is pertinent. I don't see the mention of a keylogger. Actually, the system looks pretty clean to me. The four files /usr/bin/groups, /usr/bin/ldd, /sbin/chkconfig, and /sbin/ifup are very slightly concerning. As I mentioned, they may simply be scripts on your system, and informing rkhunter about your package manager may make those go away. You also need to look at the report on /dev and see why it has an unusual file in it. My system has MAKEDEV in it, which is executable, and I used to get a similar warning until I told rkhunter about my package manager. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I speak only for myself, and I am unanimous in that! ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users